In-Reply-To: <[email protected]>
On Tue, 01 Aug 2006 16:21:32 +0400, Stas Sergeev wrote:
> >> - .quad 0x0000920000000000 /* 0xd0 - ESPFIX 16-bit SS */
> >> + .quad 0x00cf92000000ffff /* 0xd0 - ESPFIX SS */
> > Seems a bit dangerous to allow access to full 4GB through this. Can you
> > tighten the limit any? I suppose not, because the high bits in %esp
> > really could be anything. But it might be nice to try setting the limit
> > to regs->esp + THREAD_SIZE. Of course, this is not strictly necessary,
> > just an extra paranoid protection mechanism.
> Since, when calculating the base, I do &-THREAD_SIZE, I guess the minimal
> safe limit is regs->esp + THREAD_SIZE*2... Well, may just I not do that please? :)
> For what, btw? There are no such a things for __KERNEL_DS or anything, so
> I just don't see the necessity.
It's really not that hard to get the limit:
limit_in_bytes = new_esp | (THREAD_SIZE - 1)
limit_in_pages = limit_in_bytes >> 12
And this will catch any bad accesses that assume zero-based pointers:
kernel stack is at f7000000
user stack is at b7000000
SS base = 40000000
SS limit = b7001fff
All kernel pointers will be >c0000000 and will trap on access if they
try to use SS. And it will work with any user/kernel split.
--
Chuck
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
